SB20260626121 - Improper input validation in Linux kernel ipv6



SB20260626121 - Improper input validation in Linux kernel ipv6

Published: June 26, 2026

Security Bulletin ID SB20260626121
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper input validation (CVE-ID: CVE-2026-53221)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause traffic to be associated with the wrong tunnel.

The vulnerability exists due to improper input validation in vti6_tnl_lookup() when matching IPv6 VTI tunnels during fallback wildcard tunnel searches. A remote attacker can send network traffic that triggers a hash collision and incorrect tunnel selection to cause traffic to be associated with the wrong tunnel.

The issue occurs because candidate tunnels in the fallback search were not verified to actually use wildcard local or remote addresses.


Remediation

Install update from vendor's website.